openssh known_hosts question - SSH

This is a discussion on openssh known_hosts question - SSH ; How does openssh know whether you've accepted a server's key before so
as not to ask the next time 'round?
I ran an ssh-keyscan against all servers in my known_hosts file,
redirected the output to a new file and compared ...

openssh known_hosts question

How does openssh know whether you've accepted a server's key before so
as not to ask the next time 'round?

I ran an ssh-keyscan against all servers in my known_hosts file,
redirected the output to a new file and compared it the two files. They
were the same so obviously it's not there. So where does it store that info?

Re: openssh known_hosts question

Chuck wrote:
> How does openssh know whether you've accepted a server's key before so
> as not to ask the next time 'round?

It puts the key in known_hosts.
> I ran an ssh-keyscan against all servers in my known_hosts file,
> redirected the output to a new file and compared it the two files. They
> were the same so obviously it's not there. So where does it store that info?

I'm afraid I don't understand what problem you have that you're trying
to solve. Why would ssh-keyscan output and your known_hosts file be
different?

Do you have a host that prompts you to accept a host key even though
it's in your known_hosts file? If so, can you provide the exact message
that appears? Is that host in your known_hosts list multiple times?

Re: openssh known_hosts question

Darren Dunham wrote:
> Chuck wrote:
>> How does openssh know whether you've accepted a server's key before so
>> as not to ask the next time 'round?
> It puts the key in known_hosts.

Also, do you have an /etc/ssh_known_hosts file?
--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

Re: openssh known_hosts question

>>>>> "Chuck" == Chuck writes:

Chuck> How does openssh know whether you've accepted a server's key
Chuck> before so as not to ask the next time 'round?

Chuck> I ran an ssh-keyscan against all servers in my known_hosts
Chuck> file, redirected the output to a new file and compared it the
Chuck> two files. They were the same so obviously it's not there. So
Chuck> where does it store that info?

If you accept a key yourself as part of an SSH session, it's stored in
~/.ssh/known_hosts. There is also a per-machine file,
/etc/ssh_known_hosts.

Note that OpenSSH does not canonicalize names; it matches what you type on
the command line verbatim against the keys in the known_hosts file (aside
from the use of patterns in that file). So if you have an entry:

foo.bar.com ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...

and you type "ssh foo", they will not match. You can edit thus:

foo.bar.com,foo ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...

.... to fix this. Or, you can use Kerberos, which does canonicalize
names.

Re: openssh known_hosts question

Darren Dunham wrote:
> Darren Dunham wrote:
>> Chuck wrote:
>>> How does openssh know whether you've accepted a server's key before so
>>> as not to ask the next time 'round?
>
>> It puts the key in known_hosts.
>
> Also, do you have an /etc/ssh_known_hosts file?

I'm just trying to figure out where it stores the info that you've
accepted a key before or not. I was being prompted for keys that were in
the known_hosts file.

No I do not have an /etc/ssh_known_hosts file.

Re: openssh known_hosts question

Richard E. Silverman wrote:
>>>>>> "Chuck" == Chuck writes:
>
> Chuck> How does openssh know whether you've accepted a server's key
> Chuck> before so as not to ask the next time 'round?
>
> Chuck> I ran an ssh-keyscan against all servers in my known_hosts
> Chuck> file, redirected the output to a new file and compared it the
> Chuck> two files. They were the same so obviously it's not there. So
> Chuck> where does it store that info?
>
> If you accept a key yourself as part of an SSH session, it's stored in
> ~/.ssh/known_hosts. There is also a per-machine file,
> /etc/ssh_known_hosts.
>
> Note that OpenSSH does not canonicalize names; it matches what you type on
> the command line verbatim against the keys in the known_hosts file (aside
> from the use of patterns in that file). So if you have an entry:
>
> foo.bar.com ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
>
> and you type "ssh foo", they will not match. You can edit thus:
>
> foo.bar.com,foo ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
>
> ... to fix this. Or, you can use Kerberos, which does canonicalize
> names.
>

Thanks Richard. That's probably what happened. Is there a way to tell
ssh-keyscan to include the hostname, FQDN, and IP address all in the
first field?

Re: openssh known_hosts question

Chuck wrote:
> Darren Dunham wrote:
>> Darren Dunham wrote:
>>> Chuck wrote:
>>>> How does openssh know whether you've accepted a server's key before so
>>>> as not to ask the next time 'round?
>>
>>> It puts the key in known_hosts.
> I'm just trying to figure out where it stores the info that you've
> accepted a key before or not. I was being prompted for keys that were in
> the known_hosts file.

Were the names of the hosts that you gave to ssh the same as the name in
the known_hosts file? Two different names for the same server won't
match.

Re: openssh known_hosts question

Darren Dunham wrote:
> Chuck wrote:
>> Darren Dunham wrote:
>>> Darren Dunham wrote:
>>>> Chuck wrote:
>>>>> How does openssh know whether you've accepted a server's key before so
>>>>> as not to ask the next time 'round?
>>>> It puts the key in known_hosts.
>
>> I'm just trying to figure out where it stores the info that you've
>> accepted a key before or not. I was being prompted for keys that were in
>> the known_hosts file.
>
> Were the names of the hosts that you gave to ssh the same as the name in
> the known_hosts file? Two different names for the same server won't
> match.
>

That's what I've found out. Once thing I want to accomplish from this
exercise is to create a known_hosts file that can be distributed
throught the entire network. I'm going to need to edit it to include the
hostname, fqdn, and IP address on each line.

Re: openssh known_hosts question

>>>>> "Chuck" == Chuck writes:

Chuck> Richard E. Silverman wrote:
>>>>>>> "Chuck" == Chuck writes:
>>
Chuck> How does openssh know whether you've accepted a server's key
Chuck> before so as not to ask the next time 'round?
>>
Chuck> I ran an ssh-keyscan against all servers in my known_hosts
Chuck> file, redirected the output to a new file and compared it the
Chuck> two files. They were the same so obviously it's not there. So
Chuck> where does it store that info?
>> If you accept a key yourself as part of an SSH session, it's
>> stored in ~/.ssh/known_hosts. There is also a per-machine file,
>> /etc/ssh_known_hosts.
>>
>> Note that OpenSSH does not canonicalize names; it matches what you
>> type on the command line verbatim against the keys in the
>> known_hosts file (aside from the use of patterns in that file). So
>> if you have an entry:
>>
>> foo.bar.com ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
>>
>> and you type "ssh foo", they will not match. You can edit thus:
>>
>> foo.bar.com,foo ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
>>
>> ... to fix this. Or, you can use Kerberos, which does canonicalize
>> names.
>>

Chuck> Thanks Richard. That's probably what happened. Is there a way
Chuck> to tell ssh-keyscan to include the hostname, FQDN, and IP
Chuck> address all in the first field?